The House of Commons Culture, Media, and Sport Committee has published a cyber-security report recommending new requirements for data breach reporting, security auditing, and consumer compensation.
The report, Cyber Security: Protection of Personal Data Online Contents, was commissioned in the wake of the TalkTalk security breach in October 2015. However, the Committee does not confine itself to a discussion of that particular incident, but makes a number of wide ranging recommendations on cyber-security.
Although the report calls for greater education and awareness raising for consumers, many of the Committee’s recommendations focus on a series of fines and financial incentives for companies handling personal data. These include:
- Empowering the Information Commissioner’s Office (ICO) to introduce “a series of escalating fines, based on the lack of attention to threats and vulnerabilities which have led to previous breaches”;
- Making it “easier for consumers to claim compensation if they have been the victim of a data breach”, by providing greater support through organisations like the Citizens Advice Bureau, ICO and police victim support units;
- The ICO introducing “an incentive structure that inhibits delays, for example escalating fines for delays in reporting a breach”.
- Encouraging companies to link “a portion of CEO compensation … to effective cyber security, in a way to be decided by the Board”.
The Committee has recommendations for software developers as well as the companies using their software.
We were also surprised that there is no requirement to make security a major consideration in the design of new IT systems and apps. We therefore recommend that security by design should be a core principle for new system and apps development and a mandatory part of developer training, with existing development staff retrained as necessary.
The Committee also recommends greater reporting requirements.
Organisations holding large amounts of personal data (on staff, customers, patients, taxpayers etc.) should report annually to the ICO on:
(i) Staff cyber-awareness training;
(ii) When their security processes were last audited, by whom and to what standard(s);
(iii) Whether they have an incident management plan in place and when it was last tested;
(iv) What guidance and channels they provide to current and prospective customers and suppliers on how to check that communications from them are genuine;
(v) The number of enquiries they process from customers to verify authenticity of communications;
(vi) The number of attacks of which they are aware and whether any were successful (i.e. actual breaches).
In addition, the report recommends that the ICO be given “powers of non-consensual audit, notably for health, local government and potentially for other sectors”.
Jesse Norman MP, Chair of the Committee, said:
Companies must have robust strategies and processes in place, backed by adequate resources and clear lines of accountability, to stay one step ahead in a sophisticated and rapidly evolving environment. Failure to prepare for or learn from cyber-attacks, and failure to inform and protect consumers, must draw sanctions serious enough to act as a real incentive and deterrent.
Friendly critics have, however, pointed out the risk that some of the recommendations could have unintended consequences.
The threat of a fine may … have the undesired impact of encouraging those who have suffered from a cyber-attack to not report it, which is especially relevant since some criminals will blackmail their target with requests for money in order to stop an attack against the targeted entity/group. As a result some may end up finding it cheaper to pay the criminal rather than risk a fine from being honest by reporting the later breach.
— Mark Jackson, ISPReview
Finally, the Committee notes that the Investigatory Powers Bill could create attractive targets for data breaches.
During the oral evidence session, the ICO issued a stark warning about the Investigatory Powers Bill, currently before Parliament. The ICO said that it creates a “haystack of potential problems” given the huge pools of personal data that it would create and their vulnerability to attack and theft leading to personal data breaches. We also received evidence from academics who agreed on this point. The vulnerability of additional pooled data is an important concern that needs to be addressed urgently by the Government. Part of the response could be to require enhanced security requirements and background checks for those with access to large pools of personal data. Data controllers should seek to control and limit access to such pooled data.
For more information, see: